Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Advanced Access Manager – Access Governance for WordPress by vasyltech

    CVE-2019-25213 (GCVE-0-2019-25213)

    Vulnerability from nvd – Published: 2024-10-16 06:43 – Updated: 2026-04-08 16:53
    VLAI
    Title
    Advanced Access Manager <= 5.9.8.1 - Unauthenticated Arbitrary File Read
    Summary
    The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. This allows unauthenticated attackers to read any file on the server, including sensitive files such as wp-config.php
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    vasyltech Advanced Access Manager – Access Governance for WordPress Affected: 0 , < 5.9.9 (semver)
    Create a notification for this product.
    advanced_access_manager_project advanced_access_manager Affected: 0 , < 5.9.9 (semver)
        cpe:2.3:a:advanced_access_manager_project:advanced_access_manager:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Ov3rfly
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:advanced_access_manager_project:advanced_access_manager:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "advanced_access_manager",
                "vendor": "advanced_access_manager_project",
                "versions": [
                  {
                    "lessThan": "5.9.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2019-25213",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T15:35:07.214423Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T18:05:50.381Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Access Manager \u2013 Access Governance for WordPress",
              "vendor": "vasyltech",
              "versions": [
                {
                  "lessThan": "5.9.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ov3rfly"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. This allows unauthenticated attackers to read any file on the server, including sensitive files such as wp-config.php"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:35.212Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55e0f0df-7be2-4e18-988c-2cc558768eff?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/2098838/advanced-access-manager/trunk/application/Core/Media.php?old=2151316\u0026old_path=advanced-access-manager%2Ftrunk%2Fapplication%2FCore%2FMedia.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2019-09-09T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Advanced Access Manager \u003c= 5.9.8.1 - Unauthenticated Arbitrary File Read"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2019-25213",
        "datePublished": "2024-10-16T06:43:32.214Z",
        "dateReserved": "2024-10-15T17:42:48.469Z",
        "dateUpdated": "2026-04-08T16:53:35.212Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2019-25213 (GCVE-0-2019-25213)

    Vulnerability from cvelistv5 – Published: 2024-10-16 06:43 – Updated: 2026-04-08 16:53
    VLAI
    Title
    Advanced Access Manager <= 5.9.8.1 - Unauthenticated Arbitrary File Read
    Summary
    The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. This allows unauthenticated attackers to read any file on the server, including sensitive files such as wp-config.php
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    vasyltech Advanced Access Manager – Access Governance for WordPress Affected: 0 , < 5.9.9 (semver)
    Create a notification for this product.
    advanced_access_manager_project advanced_access_manager Affected: 0 , < 5.9.9 (semver)
        cpe:2.3:a:advanced_access_manager_project:advanced_access_manager:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Ov3rfly
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:advanced_access_manager_project:advanced_access_manager:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "advanced_access_manager",
                "vendor": "advanced_access_manager_project",
                "versions": [
                  {
                    "lessThan": "5.9.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2019-25213",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-16T15:35:07.214423Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-16T18:05:50.381Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Advanced Access Manager \u2013 Access Governance for WordPress",
              "vendor": "vasyltech",
              "versions": [
                {
                  "lessThan": "5.9.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ov3rfly"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. This allows unauthenticated attackers to read any file on the server, including sensitive files such as wp-config.php"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:35.212Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55e0f0df-7be2-4e18-988c-2cc558768eff?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/2098838/advanced-access-manager/trunk/application/Core/Media.php?old=2151316\u0026old_path=advanced-access-manager%2Ftrunk%2Fapplication%2FCore%2FMedia.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2019-09-09T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Advanced Access Manager \u003c= 5.9.8.1 - Unauthenticated Arbitrary File Read"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2019-25213",
        "datePublished": "2024-10-16T06:43:32.214Z",
        "dateReserved": "2024-10-15T17:42:48.469Z",
        "dateUpdated": "2026-04-08T16:53:35.212Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }